Of the 128 fixes included in this Critical Patch Update, 4 are for Oracle Database Server.The most severe Database vulnerability has received a CVSS Base Score of 10.0 for the Windows platform and 7.5 on other platforms (e.g., Solaris, Linux).This vulnerability is limited to Oracle Database 11.2.0.2 and 11.2.0.3 operating in RAC configurations.

This Critical Patch Update also includes 29 security fixes for Oracle Fusion Middleware.The most severe of these vulnerabilities has also received a CVSS Base Score of 10.0 and it in fact affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit.In addition, a number of these fixes are for third-party components included in Oracle Fusion Middleware.

This Critical Patch Update includes a significant number of security fixes for Oracle Applications.This high number is due in some part to the recent inclusion of new product lines in the Critical Patch Update (e.g., Oracle FLEXCUBE).Oracle E-Business Suite receives 6 new security fixes, Oracle Supply Chain Products Suite receives 3, PeopleSoft Enterprise 11, Oracle Siebel CRM 8, Oracle Industry Applications 3, and Oracle FLEXCUBE 18.In addition, this Critical Patch Update includes 2 security fixes for Oracle Primavera.

As with previous Critical Patch Updates, this Critical Patch Update also provides a significant number of security fixes for the Oracle and Sun Systems Products Suite.18 new fixes for the Sun Product Suite are provided, including 16 fixes affecting Solaris and 2 for Oracle GlassFish Server.The most severe of these vulnerabilities has received a CVSS Base Score of 6.4.

Also included in this Critical Patch Update are 25 new security fixes for Oracle MySQL (the most severe of these bugs has received a CVSS Base Score of 6.8) and one new security fix for Oracle Support Tools (specifically Automatic Service Request (ASR), a support utility used to automatically generate service request in case of specific hardware failure).

As usual, Oracle recommends that this Critical Patch Update be applied as soon as possible so as to ensure that the in-depth security posture of the organization is maintained.As a reminder, Oracle also today released a Critical Patch Update for Java SE.The content of the Critical Patch Update for Java SE and a highlight of Oracle’s security plan for Java are discussed in a separate blog entry.

Monday Mar 04, 2013

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.Both vulnerabilities affect the 2D component of Java SE.These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications. They also do not affect Oracle server-based software.These vulnerabilities have each received a CVSS Base Score of 10.0.

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013). However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

As always, Oracle recommends that this Security Alert be applied as soon as possible.Desktop users can install this new version from java.com or through the Java autoupdate. Desktop users should also be aware that Oracle has recently switched Java security settings to “high” by default.This high security setting results in requiring users to expressly authorize the execution of applets which are either unsigned or are self-signed.As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.In order to protect themselves, desktop users should only allow the execution of applets when they expect such applets and trust their origin.

As stated in previous blogs, Oracle is committed to accelerating the release of security fixes for Java SE, particularly to help address the security-worthiness of Java running in browsers.The quick release of this Security Alert, the higher number of Java SE fixes included in recent Critical Patch Updates, and the announcement of an additional security release date for Java SE (the April 16th Critical Patch Update for Java SE) are examples of this commitment.

Tuesday Feb 19, 2013

Oracle today released the updated February 2013 Critical Patch Update for Java SE.As discussed in a previous blog entry, the purpose of this update is to deliver 5 additional fixes which could not be included when Oracle accelerated the release of the Critical Patch Update by publishing it on February 1st instead of February 19th.Note that since Critical Patch Updates for Java SE are cumulative, this Critical Patch Update release also includes all previously-released Java SE security fixes.

All but one of the vulnerabilities fixed today apply to client deployment of Java.This means that these 4 vulnerabilities can be exploited through Java Web Start applications on desktops and Java applets in Internet browsers.Three of these vulnerabilities received a CVSS Base Score of 10.0.As I stated before, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running the malicious Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System.

The last security fix added by this updated Critical Patch Update release applies to server deployments of the Java Secure Socket Extension (JSSE).This fix is for a vulnerability commonly referred as the “Lucky Thirteen” vulnerability in SSL/TLS (CVE-2013-0169).This vulnerability has received a CVSS Base Score of 4.3.

Finally, note that Oracle’s intent is to continue to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.As a result, we will be issuing a Critical Patch Update for Java SE on April 16, 2013 at the same time as the normally scheduled Critical Patch Update for all non-Java products.The next scheduled release dates for the Critical Patch Update for Java SE are therefore: April 16, 2013; June 18, 2013; October 15, 2013; and January 14, 2014.

As a result of the accelerated release of the Critical Patch Update, Oracle did not include a small number of fixes initially intended for inclusion in the February 2013 Critical Patch Update for Java SE.Oracle is therefore planning to release an updated version of the February 2013 Critical Patch Update on the initially scheduled date.

This updated February 2013 Critical Patch Update will be published on February 19th and will include the fixes that couldn’t be released on February 1st.A new Critical Patch Update Advisory will also be published on February 19th on http://www.oracle.com/technetwork/topics/security/alerts-086861.html to include information about the additional fixes being released.

Note that Critical Patch Updates for Java SE are cumulative.As a result, organizations that may not have applied the February 1st release will be able to apply the updated Critical Patch Update when it is published, and will then gain the benefit of all previously released Java SE fixes.As usual, desktop users will be able to install this new version from java.com or through the Java autoupdate.

Friday Feb 01, 2013

Oracle just released the February 2013 Critical Patch Update for Java SE.The original Critical Patch Update for Java SE was scheduled on February 19th, but Oracle decided to accelerate the release of this Critical Patch Update because active exploitation “in the wild” of one of the vulnerabilities affecting the Java Runtime Environment (JRE) in desktop browsers, was addressed with this Critical Patch Update.

In addition to a number of security in-depth fixes, the February 2013 Critical Patch Update for Java SE contains fixes for 50 security vulnerabilities.44 of these vulnerabilities only affect client deployment of Java (e.g., Java in Internet browsers).In other words, these vulnerabilities can only be exploited on desktops through Java Web Start applications or Java applets.In addition, one vulnerability affects the installation process of client deployment of Java (i.e. installation of the Java Runtime Environment on desktops).Note also that this Critical Patch Update includes the fixes that were previously released through Security Alert CVE-2013-0422.

3 of the vulnerabilities fixed in this Critical Patch Update apply to client and server deployment of Java; that means that these vulnerabilities can be exploited on desktops through Java Web Start and Java applets in Browser, or in servers, by supplying malicious input to APIs in the vulnerable server components.In some instances, the exploitation scenario of this kind of bugs on servers is very improbable; for example, one of these vulnerabilities can only be exploited against a server in the unlikely scenario that the server was allowed to process image files from an untrusted source.

Finally, 2 of the vulnerabilities fixed in this Critical Patch Update only apply to server deployment of the Java Secure Socket Extension (JSSE).

The maximum CVSS Base Score for the vulnerabilities fixed in this Critical Patch Update is 10.0.This score affects 26 vulnerabilities: 23 of which are client-side vulnerabilities, and 3 applicable to client and server deployments.

This Critical Patch Update is consistent with previous Java security releases, in that most of the vulnerabilities addressed in this Critical Patch Update only affect Java and Java FX client deployments.This reflects the fact that the Java server environment is more secure than the Java Runtime Environment in browsers because servers operate in a more secure and controlled environment.

The popularity of the Java Runtime Environment in desktop browsers, and the fact that Java in browsers is OS-independent, makes Java an attractive target for malicious hackers.Note however that, as stated in a previous blog entry, Oracle reports the most severe CVSS Base Score.

Furthermore, to help mitigate the threat of malicious applets (Java exploits in internet browsers), Oracle has switched the Java security settings to “high” by default.The "high" security setting requires users to expressly authorize the execution of unsigned applets allowing a browser user to deny execution of a suspicious applet (where in the past a suspicious applet could execute "silently").As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.In addition, Oracle has recently introduced the ability for users to easily disable Java in their browsers through the Java Control Panel on Windows.

As stated at the beginning of this blog, Oracle decided to release this Critical Patch Update earlier than planned.After receiving reports of a vulnerability in the Java Runtime Environment (JRE) in desktop browsers, Oracle quickly confirmed these reports, and then proceeded with accelerating normal release testing around the upcoming Critical Patch Update distribution, which already contained a fix for the issue.Oracle felt that, releasing this Critical Patch Update two weeks ahead of our intended schedule, instead of releasing a one-off fix through a Security Alert, would be more effective in helping preserve the security posture of Java customers.The size of this Critical Patch Update, as well as its early publication, demonstrate Oracle’s intention to accelerate the release of Java fixes, particularly to help address the security worthiness of the Java Runtime Environment (JRE) in desktop browsers.

Tuesday Jan 15, 2013

Today, Oracle released the January 2013 Critical Patch Update.This Critical Patch Update provides fixes for 86 vulnerabilities across a number of product families including the Oracle Database, Oracle Database Mobile Server, Oracle Enterprise Manager Grid Control, Oracle Fusion Middleware, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle JDEdwards Enterprise One, Oracle Siebel CRM, Oracle Sun Products Suite, Oracle Virtualization, and Oracle MySQL.As a reminder, fixes for Java SE continue to be released on a separate schedule due to contractual commitments previously made with customers (the next Critical Patch Update for Java SE will be released on February 19, 2013); accordingly, this Critical Patch Update does not contain fixes for Java SE and it is not related to the recently released Security Alert CVE-2013-0422 intended for Java SE.

Of the 86 fixes, 1 is specific to Oracle Database Server; this vulnerability, which affects the Spatial component of the Database, has a CVSS Base Score of 9.0, and it is not remotely exploitable without authentication. 5 of the vulnerabilities are for the Oracle Database Mobile Server, typically used for connecting embedded devices and mobile applications to the Oracle Database.The maximum CVSS Base Score for the 5 Oracle Database Mobile Server vulnerabilities is 10.0, and these vulnerabilities are all remotely exploitable without authentication.Note also that 10 Enterprise Manager Grid Control fixes are applicable for Database deployments.

This Critical Patch Update includes fixes for 7 security vulnerabilities in Oracle Fusion Middleware, 5 of which are remotely exploitable without authentication.The maximum CVSS Base Score for these Fusion Middleware vulnerabilities is 5.0.

13 fixes are for Oracle Enterprise Manager Grid Control, 12 of which are remotely exploitable without authentication.The maximum CVSS Base Score for these Enterprise Manager vulnerabilities is 5.0.As stated earlier, 10 of these Enterprise Manager Grid Control fixes are applicable for Database deployments.

This Critical Patch Update provides the following applications security fixes: 9 for E-Business Suite, 1 for Supply Chain Product Suite, 12 for PeopleSoft Enterprise, 1 for JDEdwards EntepriseOne, 10 for Siebel CRM.As indicated in the Critical Patch Update Advisory, most Oracle applications deployments include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Fusion Middleware sections for the Advisory, and these need to be patched as well.

Finally, this Critical Patch Update provides 8 fixes for Oracle Sun products Suite (the highest CVSS Base Score for these vulnerabilities is 6.6), 1 is for Oracle Virtualization (with a CVSS Base Score of 2.4), and 18 are for Oracle MySQL.The highest CVSS Base Score for the MySQL vulnerabilities is 9.0 on Windows platforms, and 6.5 on other platforms (e.g. Linux).

Oracle continues to recommend that, even though other mitigation measures may be available, Critical Patch Updates be applied as soon as possible in order for organizations to retain their security in depth posture.

Sunday Jan 13, 2013

Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers.These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java.The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174. These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0.Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools.

The exploit conditions for these vulnerabilities are the same.To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website.The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system.These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets.

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default.The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed.As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.

As a reminder, the release of security patches for Java SE continues to be on a different schedule than for other Oracle products due to commitments made to customers prior to the Oracle acquisition of Sun Microsystems. We do however expect to ultimately bring Java SE in line with the regular Critical Patch Update schedule, thus increasing the frequency of scheduled security releases for Java SE to 4 times a year (as opposed to the current 3 yearly releases). The schedules for the “normal” Critical Patch Update and the Critical Patch Update for Java SE are posted online on the Critical Patch Updates and Security Alerts page.

Out of these 109 new vulnerabilities, 5 affect Oracle Database Server. The most severe of these Database vulnerabilities has received a CVSS Base Score of 10.0 on Windows platforms and 7.5 on Linux and Unix platforms. This vulnerability (CVE-2012-3137) is related to the “Cryptographic flaws in Oracle Database authentication protocol” disclosed at the Ekoparty Conference. Because of timing considerations (proximity to the release date of the October 2012 Critical Patch Update) and the need to extensively test the fixes for this vulnerability to ensure compatibility across the products stack, the fixes for this vulnerability were not released through a Security Alert, but instead mitigation instructions were provided prior to the release of the fixes in this Critical Patch Update in My Oracle Support Note 1492721.1. Because of the severity of these vulnerabilities, Oracle recommends that this Critical Patch Update be installed as soon as possible.

Another 26 vulnerabilities fixed in this Critical Patch Update affect Oracle Fusion Middleware. The most severe of these Fusion Middleware vulnerabilities has received a CVSS Base Score of 10.0; it affects Oracle JRockit and is related to Java vulnerabilities fixed in the Critical Patch Update for Java SE.
The Oracle Sun products suite gets 18 new security fixes with this Critical Patch Update. Note also that Oracle MySQL has received 14 new security fixes; the most severe of these MySQL vulnerabilities has received a CVSS Base Score of 9.0.

Today’s Critical Patch Update for Java SE provides 30 new security fixes. The most severe CVSS Base Score for these Java SE vulnerabilities is 10.0 and this score affects 10 vulnerabilities. As usual, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running a Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System.

Also, as is typical in the Critical Patch Update for Java SE, most of the vulnerabilities affect Java and Java FX client deployments only. Only 2 of the Java SE vulnerabilities fixed in this Critical Patch Update affect client and server deployments of Java SE, and only one affects server deployments of JSSE. This reflects the fact that Java running on servers operate in a more secure and controlled environment. As discussed during a number of sessions at JavaOne, Oracle is considering security enhancements for Java in desktop and browser environments.

Finally, note that the Critical Patch Update for Java SE is cumulative, in other words it includes all previously released security fixes, including the fix provided through Security Alert CVE-2012-4681, which was released on August 30, 2012.

Thursday Aug 30, 2012

Oracle has just released Security Alert CVE-2012-4681 to address 3 distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers. These vulnerabilities are: CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547. These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software.

Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0. This score assumes that the affected users have administrative privileges, as is typical in Windows XP. Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments, but Oracle has issued a security-in-depth fix for this issue as it can be used in conjunction with other vulnerabilities to significantly increase the overall impact of a successful exploit.

If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. Note that this malware may in some instances be detected by current antivirus signatures upon its installation.

Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible. Furthermore, note that the technical details of these vulnerabilities are widely available on the Internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild.

Friday Aug 10, 2012

Oracle today released Security Alert CVE-2012-3132 to address a vulnerability affecting the Oracle Database Server, which was publicly disclosed at BlackHat 2012.With a CVSS Base Score of 6.5, this vulnerability involves the ‘INDEXTYPE CTXSYS.CONTEXT’, and if successfully exploited, can allow a malicious attacker to gain ‘SYS’ privileges.This vulnerability does not affect 11gR2 databases which have applied the July 2012 Critical Patch Update.Note that this vulnerability is not remotely exploitable without authentication, in other words, the attacker needs to a have credentials and specific privileges, including the ‘Create Table’ privilege, in order to create the exploit conditions.Oracle recommends that organizations apply this Security Alert as soon as possible because the technical details of this vulnerability have been very widely disclosed and one can easily find sample exploit code over the Internet.

As much as possible, it is important that organizations use the most current product versions available to them.As stated in each Critical Patch Update and Security Alert Advisory, Oracle does not generally test for the presence of the vulnerabilities fixed through the Critical Patch Update and Security Alert programs in releases of affected product lines that are no longer supported.However, it is likely that these vulnerabilities exist in previously released, but no longer supported releases of the affected products.In a previous blog entry, I discussed Oracle’s security fixing policies, and recommended that customers remain on current releases in order to take advantage of Oracle’s ongoing security assurance effort.This Security Alert, along with all recently released Critical Patch Updates, is an example of the importance of keeping up with newer and actively supported releases.Customers on unsupported versions, unless they have purchased Extended Support under the Lifetime Support Policy, will not receive a permanent fix for the release they are running.

It is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available, especially when the disruption resulting from having to deal with an unplanned patch, and the amount of time required by customers to apply the patch, may yield less of a security posture improvement than other security efforts, such as ongoing hardening and auditing.